" hipaa Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘hipaa’

What is HIPAA-compliant Email Marketing?

Monday, January 13th, 2020

Why does your organization need HIPAA-compliant email marketing? It’s simple. Businesses in the healthcare field (and those that process their data) have many of the same needs as other companies. They need to be able to get their messages out, so that they can help more people and drum up more business.

Whether it’s HIPAA-compliant bulk email or emails that are specific to the individual, the messages need to be sent in a way that abides by the regulations, both to protect the privacy of patients, and to avoid legal penalties.

When Should You Send HIPAA-compliant Email Marketing?

HIPAA-compliant email marketing is critical whenever your organization could potentially be sending electronic protected health information (ePHI). This is information that is both individually identifiable and relates to someone’s healthcare.

Individually identifiable means information that can be connected with the person. This includes identifiers like their name, address, birth date, email address, social security number and much more. Not only does the definition of ePHI cover people’s past, present and future health condition, but it also includes treatment provisions and billing details.

While anonymous health details or individual identifiers sent by themselves are not covered by the law, when the two are brought together you need to be careful and abide by HIPAA regulations. You will need a HIPAA-compliant email marketing service whenever you send ePHI, and it’s best to err on the safe side even if you think an email may not contain ePHI.

A good example of a borderline case would be a newsletter sent around to all of a clinic’s cancer patients. While the email may contain helpful information, it could also end up breaching the patients’ privacy and HIPAA regulations.

This is because the emails are sent to an address, which is a personal identifier. If the message was only sent out to cancer patients rather than to many different people, then the email could be considered ePHI, since being a recipient of the message would effectively declare that the recipient was a cancer patient.

While this may sound like a stretch, it’s also important to consider that normal email isn’t secure. If a politician or a CEO’s email was intercepted and this information released, it could cause damage to their careers and take some agency away from their lives.

This is just one example of why it’s crucial to err on the safe side and use HIPAA-compliant email marketing for any promotional materials whenever there is even the slightest possibility of sending ePHI.

On the other hand, if you have a HIPAA-compliant email marketing solution that allows for the sending of ePHI in email messages, then you can leverage ePHI to send much more effective messages.  You have a much larger return on your effort. 

HIPAA-compliant Bulk Email Solution

Finding an appropriate service for HIPAA-compliant bulk email marketing can be challenging. Most of the common vendors aren’t HIPAA compliant at all. Others claim compliance, but still require you to not send anything sensitive via email (because they do not actually secure the email messages).  Finding one that can suit your business needs and can also protect the actual email messages is difficult.

Thankfully, LuxSci’s High Volume Secure Email has been designed to cater to both needs. Security and compliance are considered at every step of the way, while still delivering a top-quality product that fits right into your organization’s workflows.

What Level of SSL or TLS is Required for HIPAA Compliance?

Thursday, January 2nd, 2020

SSL and TLS are not actually monolithic encryption entities that you either use or do not use to connect securely to email servers, web sites, and other systems.  SSL and TLS are evolving protocols which have many nuances to how they may be configured.  The “version” of the protocol you are using and the ciphers used directly impact the level of security achievable through your connections.

Some people use the terms SSL and TLS interchangeably, but TLS (version 1.0 and beyond) is actually the successor of SSL (version 3.0). … see SSL versus TLS – what is the difference?  In 2014 we saw that SSL v3 was very weak and should not be used going forward by anyone (see the POODLE attacks, for example); TLS v1.0 or higher must be used.

Among the many configuration nuances of TLS, the protocol versions supported (e.g., 1.0, 1.1, 1.2, and 1.3) anfd which “ciphers” are permitted have the greatest impact on security.  A “cipher” specifies encryption algorithm to be used,  the secure hashing (message fingerprinting / authentication) algorithm to be used, and other related things such as how encryption keys are negotiated.   Some ciphers that have long been used, such as RC4, have become weak over time and should never be used in secure environments.  Other ciphers provide protection against people who record a secure conversation from being able to decrypt it in the future if somehow the server’s private keys are compromised (perfect forward secrecy).

What level of TLS is required by HIPAA?

Given the many choices of ciphers and TLS protocol versions, people are often at a loss as to what is specifically needed for HIPAA compliance for an appropriate and compliant level TLS security.  Simply “turning on TLS” without also configuring it appropriately is likely to leave your transmission encryption non-complaint.

Read the rest of this post »

How Can You Tell if an Email Was Transmitted Using TLS Encryption?

Tuesday, October 29th, 2019

Frequently, we are asked to verify if an email that someone sent or received was encrypted using SMTP TLS while being transmitted over the internet.  For example, banks, health care organizations under HIPAA, and other security-aware institutions have a requirement that email be secured at least by TLS encryption from sender to recipient.

Email should always be transmitted with this basic level of email encryption ensure that the email message content cannot be eavesdropped upon.  This check, to see if a message was sent securely, is fairly easy to do by looking the the raw headers of the email message in question.  However, it requires some knowledge and experience.  It is actually easier to tell if a recipient’s server supports TLS than to tell if a particular message was securely transmitted.

To see how to analyze a message for its transmission security, we will look at an example email message sent from Hotmail to LuxSci, and see that Hotmail did not use TLS when sending this message.  Hotmail is not a good provider to use when security or privacy are required.

Read the rest of this post »

What is Willful Neglect Under HIPAA?

Thursday, March 7th, 2019

HIPAA, the Health Insurance Portability and Accountability Act of 1996, spells out rules and regulations for the privacy and protection of individually identifiable health information. The HIPAA Privacy Rule and the HIPAA Security Rule establish standards related to the implementation of physical, administrative, and technical safeguards to ensure that PHI or Protected Health Information is handled with the utmost confidentiality and integrity.

The failure to adhere to the regulations established under HIPAA can lead to criminal and civil penalties, followed by progressive disciplinary actions. These penalties apply to to healthcare entities, as well as individuals.

The reckless or intentional failure to comply with the rules set forward under HIPAA is what is referred to as “Willful Neglect.”  Violations, as a result of willful neglect, can carry severe penalties, civil or criminal depending on the exact facts of the case.

what is willful neglect HIPAA

Case in point

In early 2011, the HHS (The Department of Health and Human Services) levied a fine of $4.3 million on an entity named Cignet Health Center for willful neglect. What’s unique about this case is that the entity was not fined for breach of privacy.

Read the rest of this post »

What You Need To Know About the HIPAA Security Rule

Thursday, January 10th, 2019

In this day and age of rampant cybercrime, protecting a patient’s electronic health information is of the utmost importance. But, how do you know if the protections are adequate? Well, that’s where the HIPAA Security Rule comes in.

What is the difference between the privacy and security of health information?

With respect to health information, privacy is defined as the right of an individual to keep his/her individual health information from being disclosed. This is typically achieved through policy and procedure. Privacy encompasses controlling who is authorized to access patient information; and under what conditions patient information may be accessed, used and/or disclosed to a third party. The HIPAA privacy Rule applies to all protected health information.

Security is defined as the mechanism in place to protect the privacy of health information. This includes the ability to control access to patient information, as well as to safeguard patient information from unauthorized disclosure, alteration, loss or destruction. Security is typically accomplished through operational and technical controls within a covered entity. Since so much PHI is now stored and/or transmitted by computer systems, the HIPAA Security Rule was created to specifically address electronic protected health information

Now, the HIPAA Security Rule isn’t extensive regarding the regulatory text. However, it is quite technical. It is the codification of specific information and technological best practices and standards.

The HIPAA Security Rule mainly requires the implementation of three key safeguards, that is, technical, physical, and administrative. Other than that, it demands certain organizational requirements and the documentation of processes, as it is with the HIPAA Privacy Rule.

HIPAA Security Rules

Developing the necessary documentation for the HIPAA Security Rule can be complex, compared to the requirements of the HIPAA Privacy Rule. Healthcare providers, especially smaller ones, need to be given access to HIT (Health Information Technology) resources for this purpose.

Having said that, the HIPAA Security Rule is designed to be flexible, which means covering all the required aspects of security shouldn’t be tough. There is no need for leveraging specific procedures or technologies. Organizations are allowed to determine the kind of resources necessary for ensuring compliance.

Read the rest of this post »

LUXSCI